Privacy, data and different jurisdictions: How legal approaches differ between the U.S. and EU

In an increasingly globalized economy, the practice of law has expanded across borders as companies’ employees, actions and influence continue to spread through multiple jurisdictions. The varying privacy laws of different countries, industries and even states have far-reaching implications for law practitioners within the electronic discovery sphere. The growth in big data and cloud storage has only compounded these challenges for e-discovery professionals.

In the first two articles of this series, we explored the challenges around data privacy laws that exist within the United States and international jurisdictions outside the European Union. Here, we will examine how cultural expectations, history and legal approaches concerning data privacy differ markedly between the United States and EU countries, and the practical implications for in-house counsel.

Worlds apart

When it comes to data privacy laws and attitudes, there can be significant variances between jurisdictions within the United States and between the United States and non-EU countries. However, perhaps the greatest differences lie between the United States and the European Union. Some of this is based on history and culture. Having witnessed firsthand how a tyrannical government in Nazi Germany was able to persecute a specific sector of society, Europeans tend to hold strong beliefs about the need to protect the personal information of citizens from those who might do them harm.

Not only are attitudes on privacy between the EU member states and the United States very different, within the EU itself there are variations. For example, Germany has some of the most stringent laws of all the nations within Europe, while the United Kingdom allows more leeway.

In the United States, the importance of freedom of information tends to outweigh the desire to protect personal data. While there are some obvious limits to this, such as the Health Insurance Portability and Accountability Act (HIPAA), Americans generally accept that they do not have a guaranteed right to cloak their personal information in privacy, whereas Europeans believe this right to be paramount.

Americans and Europeans also have diverging attitudes toward litigation. The United States is a far more litigious society, perhaps in part because discovery has a much farther reach than in Europe. In the EU, it is also more likely that losing parties will be obliged to cover not only their own discovery expenses, but the other side’s costs. In turn, that persuades those in EU countries to draft narrower discovery requests, rather than launch so-called “fishing expeditions.”

Regulations across the EU

The main privacy law governing data in the EU is the Data Protection Directive, known formally as Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. In essence, the directive prohibits the disclosure to a government entity of what any individual may deem to be personal, such as age, ethnicity or religion.

The directive includes two stipulations: a) the Regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data; and b) the Directive on the Protection of Individuals with Regard to Processing of Personal Data by Competent Authorities for the Purposes of Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties, and the Free Movement of Such Data.

Along with the Data Protection Directive, each member state of the EU has its own privacy laws. This can hamper some data from moving freely even within the EU. For example, a matter in one EU member state may include data that a legal team could prefer to process in the United Kingdom, because of that country’s sophisticated market and lower expenses. However, privacy laws in the member state where the data resides may prevent this movement of information outside the state.

Since these regulations also prevent a vast amount of data from being brought to the United States, legal teams either must filter out all “personal information” from data collected from an EU nation before moving it to the United States or find other solutions.

Managing data across borders

U.S. in-house counsel have several options when managing potentially responsive data from EU countries. The right approach may be different for different matters.

Some e-discovery providers have recognized the situation and set up international data centers to process information in-country where possible. Others have adopted an EU safe harbor certification, which treats U.S. data centers like an EU embassy. However, most EU countries do not recognize these safe harbors because they are self-regulated. A final option available in instances when data sets are relatively small is to set up a mobile processing center. In this instance, data is effectively culled at the source to weed out all personal information before it can then be reviewed by counsel.

Privacy laws can vary significantly across jurisdictions, even within the same country. In order to remain in compliance wherever clients face litigation, in-house counsel needs to be prepared and plan ahead.